Windows, Adobe Zero-Day used to hack Windows users


The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) claimed on Wednesday that they found an Austrian-based private-sector offensive actor (PSOA) operating multiple Windows and Adobe 0-day exploits in ” limited and targeted attacks” against European and Central American customers.

For the inexperienced, PSOAs are private companies that manufacture and sell cyber weapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and other devices.

Austria-based PSOA called DSIRF, which Microsoft had named Knotweed, has been linked to the development and attempted sale of a malware toolset called “Subzero”.

DSIRF promotes itself on the website as a company that “provides mission-oriented services in information investigation, forensics and data-driven intelligence to multinational companies in the technology, retail, energy and financial sectors” and has “a range of highly advanced techniques for collecting and analyzing information.”

The Redmond giant said Austria-based DSIRF is part of a group of cyber mercenaries that sell hacking tools or services through various business models. Two common models for this type of actor are access-as-a-service and hack-for-hire.

MSTIC found that the Subzero malware was distributed on computers in several ways in the years 2021 and 2022, including 0-day exploits in Windows and Adobe Reader.

As part of the investigation into the usefulness of this malware, Microsoft’s communication with a Subzero victim revealed that they had not consented to red teaming or penetration testing, and confirmed that it was unauthorized, malicious activity.

“Victims observed so far include law firms, banks and strategic consultancies in countries such as Austria, the United Kingdom and Panama. It is important to note that identifying targets in a country does not necessarily mean that a DSIRF customer resides in the same country, as international targeting is common,” Microsoft wrote in a detailed blog post.

“MSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks. These include command-and-control infrastructure used by the malware that links directly to DSIRF, a DSIRF-associated GitHub account used in a single attack, a code-signing certificate issued to DSIRF that is used to create a ​​exploit, and assign other open-source news stories Subzero to DSIRF.”

In May 2022, Microsoft discovered an Adobe Reader Remote Code Execution (RCE) and a 0-day exploit chain for Windows privilege escalation that was used in an attack that led to the deployment of Subzero.

“The exploits were packaged in a PDF document that was emailed to the victim. Microsoft was unable to get their hands on the PDF or Adobe Reader RCE portion of the exploit chain, but the victim’s Adobe Reader version was released in January 2022, meaning the exploit used was either a one-day exploit developed between January and May, or a 0-day exploit,” the company explains.

Based on DSIRF’s extensive use of additional zero-days, Microsoft believes that the Adobe Reader RCE was indeed a zero-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047 in the Windows Client/Server Runtime Subsystem (csrss.exe).

The Austrian company’s exploits are also linked to previous two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) used in conjunction with an Adobe Reader exploit (CVE-2021-28550) , all of which were patched in June 2021.

In 2021, the group of cyber mercenaries was also linked with exploiting a fourth zero-day, an escalation flaw of Windows privileges in the Windows Update Medic Service (CVE-2021-36948), which allowed an attacker to force the service to run a random signed DLL.

To prevent such attacks, Microsoft recommended that its customers:

  • Prioritize patching CVE-2022-22047.
  • Confirm that Microsoft Defender Antivirus has been updated to security information update 1.371.503.0 or later to detect the related indicators.
  • Use the included indicators of compromise to find out if they exist in your area and to assess for possible intrusion.
  • Change the security settings of Excel macros to determine which macros run and under what conditions when you open a workbook. Customers can also stop malicious XLM or VBA macros by ensuring that runtime macro scanning by Antimalware Scan Interface (AMSI) is enabled.
  • Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure MFA is enforced for all external connectivity.
  • Review all authentication activity for remote access infrastructure, with a focus on accounts configured with single-factor authentication, to confirm authenticity and investigate any abnormal activity.

In addition to using technical means to disrupt knotweed, Microsoft has also submitted written testimony to the House Permanent Select Committee on Intelligence Hearing on “Combating the Threats to U.S. National Security Through the Spread of Foreign Commercial Spyware.”

Leave a Comment